361 matches found
CVE-2026-10865
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
EUVD-2026-43152
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
CVE-2026-10865
CVE-2026-10865 affects the Cost Calculator Builder plugin for WordPress. The vulnerability exists in all versions up to 4.0.11 and arises from exposure in the template body, allowing unauthenticated attackers to read plaintext payment gateway secrets (Stripe secret key, Razorpay secret key, and P...
CVE-2026-57219
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauthclientsecret, exposing credentials to unauthenticated callers when the...
CVE-2026-57219
RabbitMQ suffers an unauthenticated disclosure vulnerability in the management API: the obsolete GET /api/auth endpoint can reveal the OAuth 2 client secret on installations configured with management.oauth_client_secret prior to versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. The issue arises when ...
PT-2026-57304
Name of the Vulnerable Software and Affected Versions RabbitMQ versions prior to 3.13.15 RabbitMQ versions prior to 4.0.20 RabbitMQ versions prior to 4.1.11 RabbitMQ versions prior to 4.2.6 Description The management plugin exposes an obsolete GET '/api/auth' endpoint that can disclose the OAuth ...
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...
CVE-2026-46700
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...
GHSA-4Q9J-6299-GXMR Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the clientsecret field. Any network-reachable attacker can read the OAuth client secrets configured f...
PT-2026-55450
Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...
GO-2026-5710 Prometheus Azure AD remote write OAuth client secret exposed via config API in github.com/prometheus/prometheus
Prometheus Azure AD remote write OAuth client secret exposed via config API in github.com/prometheus/prometheus...
keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...
CVE-2026-9705
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...
CVE-2026-9705
Affected software & component: Keycloak – client registration service. Vulnerability: An attacker with a previously issued Registration Access Token (RAT) can re-enable a client that an administrator had disabled. This bypasses security controls and allows the attacker to reset the client’s secre...
CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...
CVE-2026-42604
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
EUVD-2026-36543
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...